<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">

<TITLE>Encryption</TITLE>
<link href="style.css" rel="stylesheet" type="text/css">
</HEAD>

<BODY>

<P class="title"><A NAME="HELPArcEncryption"></A>Encryption<hr></P>

<P>Both <A HREF="HELPRARVersusZIP.htm">RAR</A> and <A HREF="HELPRARVersusZIP.htm">
ZIP</A> formats support encryption. To encrypt files you need to specify
a password before archiving or directly in the <A HREF="HELPGetArcGeneral.htm#SetPwd">
Archive name and parameters</A> dialog. In the <A HREF="HELPCommandLineSyntax.htm">
command line</A> this is done by using switch <A HREF="HELPSwP.htm">
-p[pwd]</A>. In WinRAR shell,  to enter a password you may either press
Ctrl+P or select the "Set default password" command in <A HREF="HELPFileMenu.htm">
File menu</A> or click on the small icon of a key in the bottom left
corner of the WinRAR window. To enter a password in <I>Archive name
and parameters</I> dialog press "Set password" button in "Advanced"
set of options.</P>

<P>Unlike ZIP, RAR format allows to encrypt not only file data,
but also other sensitive archive areas: file names, sizes, attributes,
comments and other blocks. If you wish to do it, you need to set 
"Encrypt file names" option in the password dialog or in the command
line mode use the switch <A HREF="HELPSwHP.htm">-hp[pwd]</A> instead
of -p[pwd]. Without a password it is impossible to view even the list
of files in archive encrypted in such mode.</P>

<P><A HREF="HELPArcSolid.htm">Solid</A> RAR archives and archives
with encrypted file names can have only one same password for all archived
files. Files in non-solid RAR archives without name encryption and
in ZIP archives can use different passwords.</P>

<P>Do not forget to remove an entered password, when it is no longer
needed, otherwise you may occasionally archive some files using the
password without wishing to. To remove a password, enter an empty string
instead of a password or close WinRAR and start it again. While a password
exists, the icon of key is yellow, otherwise it will be grey. Also,
when you start an archive operation using a password, title bar of
<A HREF="HELPGetArcName.htm">Archive name and parameters dialog</A>
flashes twice.</P>

<p>If you enabled <i>"Use for all archives"</i> option in password dialog
and entered the empty string as a password, extract and test commands
will skip all encrypted files and archives. In this mode the icon of key
in WinRAR status bar is not displayed.</p> 

<P>You do not need to remove a password if you entered it directly
in <I>Archive name and parameters</I> dialog. Unlike other ways such
password is valid only for the single archiving operation and automatically
removed after its completion.</P>

<P>When extracting encrypted files, it is not necessary to enter the
password before starting the operation, though you may do so. If a
password was not entered before extraction and WinRAR encounters an
encrypted file, the password will be requested from the user.</P>

<p>Archives in <a href="HELPRAR5Format.htm">RAR 5.0 format</a> are encrypted
with AES-256 algorithm in CBC mode and utilize the key derivation function
based on PBKDF2 using HMAC-SHA256.</p>

<p>By default ZIP archives use AES-256 algorithm in CTR mode. But such
archives can be incompatible with some older unzip tools. You can set
"ZIP legacy encryption" option in the password dialog to enable the legacy
ZIP encryption, which is less strong than AES, but provides better
compatibility with older software.</p>

<p>Even though WinRAR allows to use AES-256 both in RAR and ZIP formats,
key derivation function parameters selected in RAR are expected to make
RAR encryption implementation more resistant to brute force attack.
Also RAR allows to encrypt file names and other file properties.
If you need to encrypt sensitive information, it is better to select
RAR archive format. For real security use at least 8 character long passwords.
Avoid common words in passwords, they make a password weaker.
Passwords are case sensitive. Maximum password length is 127 characters.
Longer passwords are truncated to this length.</p>

<p>If "Encrypt file names" option is off, file checksums for encrypted
RAR 5.0 files are modified using a special password dependent algorithm.
It is important, because otherwise it could be possible to guess
file contents based on a checksum value only, without knowing a password.
Such risk would be especially high for short files or for strong BLAKE2
checksum. So do not expect checksums for encrypted RAR 5.0 files to match
actual CRC32 or BLAKE2 values. If "Encrypt file names" option is on,
checksums are stored without modification, because they can be accessed
only after providing a valid password.</p>

<p>Remember that if you lose your password, you will be unable to retrieve
the encrypted files, not even the WinRAR author is able to extract
encrypted files.</P>


</BODY>
</HTML>
